McAfee: Malware all about ID theft

Digital miscreants are using keylogging technology and launching phishing scams at a record rate, according to a new report from McAfee Inc.

Education for the masses is key here, but unfortunately ... it is usually given at a level above what the reader can understand. Jessica Lynne Verzi, information security managerESL Federal Credit Union

Two IT professionals who read the report said the Santa Clara, Calif.-based antivirus vendor's conclusions weren't surprising, and that one of its primary recommendations -- to educate users on the dangers of phishing -- will only go so far in stopping the bad guys.

McAfee's Identity Theft Whitepaper points to a massive increase in the use of keyloggers, malicious programs that track the user's typing activity to capture passwords and other private information. Between January 2004 and May 2006, keylogger use rose 250%, McAfee said. Meanwhile, the number of phishing alerts tracked by the Anti-Phishing Working Group increased 100-fold during the same period.

"The take-away is that people need to be very careful with the information that composes their identity," said Dave Marcus, security research and communications manager for McAfee Avert Labs. "That information can be a credit card number, your Social Security number or your address. People need to be very careful about how they're exposing that information."

Marcus said the growth in malicious activity points to the continuing trend where attackers are out to make money.

Keylogger information: Security vendor warns of massive ID theft ring Tip: Keylogger basics Tip: How to detect and prevent keylogger attacks Hackers installing keyloggers at a record rate Survey: Women more likely to download spyware

The whitepaper concluded that identity theft is taking a high toll on economies around the world, and pointed to a Federal Trade Commission assessment that the annual cost for consumers and businesses in the United States alone is $50 billion a year. "In the United Kingdom, the Home Office has calculated the cost of identity theft to the British economy at $3.2 billion during the last three years, and some estimates from the Australian Centre for Policing Research place the cost of identity theft at $3 billion each year," the McAfee report said.

The whitepaper offered "practical guidelines" for preventing identity theft, including the need for users to:

• Watch out for phishing scams, fraudulent emails and Web sites that impersonate legitimate businesses to trick people into revealing personal information.
• Avoid clicking on links in emails to visit Web sites, but instead manually type a company's correct Web address into the browser.
• Install comprehensive security software or services, including antivirus, antispyware and firewall protection, and keep it up to date.
• Use caution when opening email attachments, regardless of who sent them.
• Take care before sharing email addresses.
• Permanently erase computer hard drives before disposing of old computers.
• Make sure Web sites are secure before visiting and providing personal information.
• Use strong passwords.
• Use caution when communicating through instant messaging.

For IT professionals who are at the mercy of user behavior, Marcus said the key is "education, education and more education."

Two IT professionals who read the whitepaper said that advice is all well and good, but it's not enough to tell users what to do or not to do. Users also need to be shown concrete examples of how they can take those steps.

"Education for the masses is key here, but unfortunately the major flaw with the education is that it is usually given at a level above what the reader can understand," said Jessica Lynne Verzi, information security manager at ESL Federal Credit Union, a financial institution with 17 branches and numerous ATM locations in the Rochester, N.Y.-area, in an email exchange. "For example, in the McAfee [report] it says 'Make sure Web sites are secure before visiting and providing personal information.' No offense to the author, but no one intentionally provides information to a phishing site. This doesn't give the reader a clue as to how to make sure the site is secure."

Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine, said in an email exchange that he didn't learn anything from the report that he wasn't already aware of, though he thought the report did a decent job of outlining the scope of the problem. However, some of the raw numbers in the report left him skeptical.

"I have to wonder what the demographics are … as this would certainly make a big difference in the numbers," he said. He was particularly skeptical of the elderly statistics, since "they are far less apt to admit to being scammed due to their level of self-pride." [Page 13 of the report noted that 29% of identity theft complains come from people between the ages of 18 and 29, while 24% come from people between the ages of 30 and 39. Only 9% of complaints came from people aged 60 and older.]

Gosselin said there are places users can go to better educate themselves on the dangers of phishing and other forms of ID theft. One place is a Web site called Nophishing.org, a consortium of community banks in Maine. "We created this site with the assistance of Sari Greene who is president of a consulting firm called Sage Data Security," he said. "We use this site to help educate customers on the ID theft issue as well as the latest and greatest scams out there."

At the bank, Gosselin tries to minimize the threat with a layered security program that includes a firewall and intrusion defense and prevention systems (IDS/IPS) that are outsourced to Lowell, Mass., vendor Message Secure Corp.

"Beyond the technology piece we are very policy driven," he said. "Our IT security program is updated yearly and the staff is trained on the key components of the program yearly as well. We have yearly IT audits as well as internal and external penetration testing and vulnerability assessments done by qualified third parties."

Verzi's company also fights the dangers of cyberspace with a layered security program based on the concept of "defense-in-depth." But in the final analysis, she said there's only so much people can do to stop identity thieves.

"Phishing is not something that a business can stop, and there is little they can do to mitigate it," she said. "Phishing will always be successful because of how humans function on a basic level of trust."

To that, Marcus said, "It's a valid point that there's only so much you can do about phishing. The problem is it's all about social engineering and it's hard to defend against that."

That, he said, is why McAfee spends so much time on education. And while some people need more education than others, he said every tip helps, including the advice not to trust messages from people you don't know.

"The good news is that you can simply delete it," he said. "If the message was legitimate, that person will send again. But you can always choose not to click on the attachment or URL."